1. Field of the Invention
The invention relates to personal tokens used for authentication in a telecommunication network such as a mobile telephony network.
The invention relates in particular to SIM cards or other personal tokens which are coupled with a mobile phone.
2. Description of the Related Art
The GSM fraud-prevention framework relies on special cryptographic codes to authenticate customers and bill them appropriately.
A personalized smartcard (called a SIM) in the cell phone stores a secret key usually referred to as “Ki” which is used to authenticate the customer. Knowledge of the key is sufficient to make calls billed to that customer.
The tamper-resistant smart card is supposed to protect the key from disclosure (even against adversaries which may have physical access to the SIM). Authentication is done with a cryptographic protocol in the card, which allows the SIM to “prove” knowledge of the key to the service provider, thus authorizing a call.
The COMP128 authentication algorithm, stored and run in the card is a function of the secret key Ki, and a random value Rand which is received from the remote server during the authentication process. The COMP128 algorithm is used for generating a result (SRES) as per the following equation:SRES=COMP128(Ki,Rand).
As illustrated on FIG. 1, the result SRES as calculated by the SIM is then passed on by the handset to the Authentication Center AuC (the operator's remote server) in the GSM network and a similar authentication calculation is performed by the authentication center AuC.
The authentication center is enabled to perform such same calculation due to the fact that it stores the secret key Ki of the SIM card as well as the authentication algorithm which is used in the card. The result generated by the AuC is compared with the result generated by the SIM card, and if they match the SIM is authenticated to the network.
That is why gaining knowledge of the Ki would let a hacker clone the card.
To determine the Ki the hacker tries a multiple times to generate SRES using different Rand as mentioned above.
To obtain the Ki, a hacker would have to interact with the SIM repeatedly. After a sufficient number of queries with different allegedly random numbers, the attacker can use some mathematical technique to learn the secret key which has been used for producing the corresponding results.
An equation Func is used which relies on mathematical techniques of co-relation and regression, which function Func allows to derive the Ki:Ki=Func(SRES,Rand)
On deriving the Ki the hacker can prepare a cloned SIM card and try to log in and attach to the network. Thus once the key is determined, the SIM card is hacked and it is possible to make fraudulent calls, which will be billed, to the original holder of the card.
The operator cannot detect that the card is cloned until the original holder informs the operator. This might lead to the continuation of fraud with the authentic holder not knowing that the fraud has occurred. If the GSM network operator knows that the fraud has actually occurred on a particular SIM an appropriate preventive action could be taken.